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A method is provided for authentication of 
encrypted messages (M). A non-malleable pub- 
lic-key encryption technique is employed, so 
that an eavesdropper (B) cannot employ an 
encrypted message (M), previously overheard, 
to generate a message which, when sent to a 
recipient (R), which would pass as a message 
originating from a valid sender (S). In a prefer- 
red embodiment, a protocol is provided in 
which, in response to a message authentication 
request (req) from a sender, a recipient (R) 
sends the sender (S) a string (st), encrypted 
according to the sender's non-malleable public 
key (Es). The sender (S) decrypts the string 
using its private key, and sends the recipient (R) 
a message (Auth (M, ST)) which is a function 
(Auth) of the string (St) and the message (M) to 
be authenticated. Because of the non-malleabi- 
lity of the public keys, an eavesdropper cannot 
impersonate the sender (S) or the recipient (R) 
and produce a disinformation message which 
would nevertheless contain the correct authori- 
zation string. 



SENDER S SENDS AUTHENTICATION REQUEST 
TO RECIPIENT R FOR DATA MESSAGE m, WHICH 
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R SENDS RESPONSE MESSAGE st. ENCRYPTED 
WITH S's PUBUC KEY, TO S 

S. ES(SI) R 






S SENDS AUTHENTICATION MESSAGE. WHICH 
IS A FUNCTION OF m AND st. TO R 
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Field of the invention 

The present invention generally relates to the 
field of encryption of messages for transmission be- 
tween communication nodes. More specifically, the 5 
invention relates to a public-key method for authenti- 
cation of the source of an encrypted message. 

Background of the Invention 

10 

Communication systems are often used for com- 
municating confidential messages from a sender to a 
receiver. Optimally, confidentiality is maintained 
through physical security, i.e., by communicating a 
confidential message in such a way that no one other 15 
than the sender or receiver has access to the mes- 
sage, such as in a sealed, hand-carried package, 
overa cable, or by means of some other dosed com- 
munication medium. 

Electronic communication media, such as the 20 
public telephone network or wireless transmission, 
have the advantage of speed and convenience. How- 
ever, these media do not provide physical security. 
That is, It is possible for a message sent through these 
communication media to be overheard by parties 25 
from whom the content of the message is to be kept 
secret 

Therefore, a great deal of attention has been giv- 
en the problem of maintaining: a level of secrecy of 
messages which is comparable to physical security. 30 
Much of this attention has manifested itself in encryp- 
tion technology. Various attributes of a cryptosystem 
influence how well the system maintains a message 
in confidence. 

In particular, a cryptosystem should not be malle- 35 
able. The property of malleability is discussed in con- 
nection with cryptosystems in Dolev, Dwork, and 
Naor, "Non-Malleable Cryptography," ACM 089791- 
397-3/91/004/0542, pp. 542-52 (1991). To be non- 
malleable, a cryptosystem has two attributes. First, 40 
the cryptosystem is semantically secure. That is, if 
any given information about the plaintext is computa- 
ble from the ciphertext, then that given information is 
computable without the ciphertext Second, given a 
first ciphertext, it is impossible, or computationally in- 45 
feasible, to generate a second ciphertext such that 
the plaintexts corresponding with the first and second 
ciphertexts are related. 

The disadvantage of malleability is illustrated as 
follows: When a set of related messages are encrypt- so 
ed using an algebraic cryptosystem, the resultant en- 
crypted messages sometimes have a corresponding 
(not necessarily identical) relationship. For instance, 
if a set of messages have close numerical values in 
an ascending numerical series, some malleable en- 55 
cryption keys encrypt the messages into a set of en- 
crypted messages which also have close values in an 
ascending series. While the message may still be dif- 
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f icutt to decrypt, an eavesdropper can still make illicit 
use of the encrypted message. 

For example, consider a contract bidding scenar- 
io. Suppose that a municipality has voted to construct 
a new school, has chosen a design, and advertises 
that construction companies are invited to bid for the 
contract by submitting bids encrypted using a malle- 
able public key E. Company A encrypts a bid of 
$1,500,000 using E, and sends the bid over an inse- 
cure line. Company B receives the bid, but cannot de- 
crypt the bid because it does not have the municipal- 
ity's private decrypting key. 

However, given the encrypted Company A bid, 
Company B may be able to produce a message of its 
own which, when decrypted using the municipality's 
decrypting key, results in a bid lower than that of 
Company A. The cryptosystem is malleable if, given 
the encrypted bid from Company A, Company B has 
a likelihood of producing such a message which is 
greater than its likelihood of doing so would be if 
Company B did not have the encrypted Company A 
bid. Company B can thus slightly underbid Company 
A and win the contract, without necessarily knowing 
what Company A's bid was, or even what its own de- 
crypted bid will be. Clearly, Company A's interests 
are served by employing a non-malleable cryptosys- 
tem, so that Company B is prevented from generating 
a bid in this fashion, v 

This scenario illustrates the difference between 
physical security, in which Company has no access 
even to Company A's encrypted bit, and secrecy, pro- 
duced by encrypting messages. In some contexts, 
such as this scenario, mere secrecy through the use 
of a malleable cryptosystem is not a satisfactory sub- 
stitute for physical security. 

A particular area in which secrecy desirably 
should match physical security is the area of authen- 
tication of the source of an encrypted message. De- 
sirably, an authentication scheme should have two 
attributes. First, the scheme should be secure against 
attack from an interloper. That is, an interloper should 
not be able to send a disinformation to a recipient and 
authenticate the disinformation message as being a 
valid message sent from a legitimate sender. If no re- 
liable message authentication scheme is in place, 
then a message received by a recipient R and bearing 
the source address of a sender S could in fact have 
been sent by an interloper B. Thus, B could send dis- 
information about S to R. 

The second desirable attribute of an authentication 
scheme is that it should be possible for the recipient 
R to convince a third party C that the message was 
in fact sent from the senders, and not from an impos- 
ter B. 

An example of a scenario in which authentication 
is desirable is a scenario called the "cheesmaster at- 
tack," or "mafia scam." The name is derived from a 
chess scenario in which a player simultaneously 
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plays white against one grandmaster and black 
against another. The player effectively plays the two 
grandmasters against each other by duplicating the 
moves made by each grandmaster against the other. 

The cheesmaster attack is illustrated in a scenar- 
io called "Identification: Friend or Foe", or IFF. In one 
possible IFF scenario, a friendly aircraft F and a 
friendly ground site G sub F communicate, and an 
enemy aircraft N, with the cooperation of an enemy 
ground site G sub N, seek to communicate disinfor- 
mation to the friendly aircraft and ground site by im- 
personating them. 

A conventional attempt to establish secure com- 
munications is to give the friendly aircraft some secret 
information s, known only to the friendly ground site. 
The friendly ground site selects one of a large number 
of challenges q, and sends q to the friendly aircraft 
The friendly aircraft responds with a function F of s 
and q which is computationally infeasible to calculate 
without s. Of course, the enemy aircraft may also re- 
ceive the function. If, later, the friendly ground station 
challenges the enemy aircraft with a different chal- 
lenge q\ then the required response, a function of s 
and q\ cannot easily be produced, given only q and 
F(s,q). 

However, in a malleable cryptosystem, this com- 
munication protocol is subject to attack, using a mafia 
scam technique. Consider the following sequence of 
messages, in which the expression following the co- 
lon is the mesage ( i.e., a challenge or a response) 
sent from the first party to the second party: 

Gf*N :q 

N-G n :q 

G„-F :q 

In this sequence, an enemy plane and ground 
site, working together, interpose themselves between 
the friendly ground site and the friendly aircraft, in the 
manner of a mafia scam. In the fourth step, the friend- 
ly aircraft F provides the enemy ground site with the 
encrypted response f(s,q). Then, in the sixth step, the 
enemy aircraft sends the encrypted response to the 
friendly ground site, thereby responding correctly to 
the challenge from the friendly ground site. 

It is possible for the friendly ground site to defeat 
the enemy's copying by including some special locat- 
er information, such as the location of the friendly 
plane and a time stamp, in the challenge, designated 
q\ As a result, the enemy plane would need to trans- 
mit f(s, qO rather than f(s,q), so mere copying would 
be insufficient to attack the friendly communication 
system. 

However, the two challenges q and q' are the 
same, except for the location and the time stamp. In 
a malleable cryptosystem, f(s,q) and f(s,q') are likely 
to be similar. Thus, given q, q\ and f(s,q), it may be 
possible for the enemy to obtain f(s,q') and defeat the 
friendly cryptosystem. 

Accordingly, there is a need for a cryptosystem 



which facilitates the authentication of secret messag- 
es, which is not malleable, and therefore not vulner- 
able to the sort of attacks described above. 

5 Summary of the Invention 

Therefore, it is an object of the invention to pro- 
vide a method and system for authenticating messag- 
es which is non-malleable. 

10 To achieve these and other objectives, there is 
provided in accordance with the invention a method 
and system in which a public key cryptosystem, em- 
ploying non-malleable public and private keys, is 
used for message authentication. A message autherv 

15 tication protocol is employed which, used with the 
non-malleable public key cryptosystem, provides au- 
thentication which is secure from tampering from an 
eavesdropper/i mposter. 

The protocol includes the following: In response 

20 to a first message received by a recipient and appa- 
rently sent by a sender, the responder sends an au- 
thentication string which is encrypted with the appa- 
rent sender's public key. The sender, who actually did 
send the first message, uses its private decryption 

25 key to decrypt the authentication string. The sender 
then sends an authentication message which is a 
function of the first message and the authentication 
string. 

The above protocol provides authentication of 

30 the sender's identity to the recipient because only 
then sender is able to decrypt the string, which was 
encrypted using the sender's public key. Moreover, in 
accordance with the invention, the above protocol is 
reliable because, since the public key cryptosystem 

35 used is non-malleable, no eavesdropper/i mposter 
could have generated the authentication message 
from the encrypted authentication string. 

While the invention is primarily disclosed as a 
method, it will be understood by a person of ordinary 

40 skill in the art that an apparatus, such as a conven- 
tional data processor, including a CPU, memory, I/O, 
program storage, a connecting bus, and other appro- 
priate components, could be programmed or other- 
wise designed to facilitate the practice of the method 

45 of the invention. Such a processor would include ap- 
propriate program means for executing the method of 
the invention. 

Brief Description of the Drawings 

50 

FIG. 1 is a system block diagram showing two 
communication devices, S and R, and an interloper B. 

FIG. 2 is a flowchart showing an exchange of 
messages for an authentication sequence according 
55 to the method of the invention. 

FIG. 3 is a flowchart showing an exchange of 
messages for an authentication sequence between a 
sender and a recipient, in which a third party attempts 
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to authenticate a message which did not originate 
from the sender. 

Description of the Preferred Embodiments 

The following discussion is applicable to any 
communication system in which a sender sends a 
message to a recipient, in which the origin of the mes- 
sage is to be authenticated, and in which an interlop- 
er, attempting to send the recipient a disinformation 
message perportedly from the sender, is to be pre- 
vented from doing so. The precise nature of the com- 
munication medium and of the sender, recipient, and 
interloper are not essential to the invention. FIG. 1 is 
a block diagram representation which schematically 
shows such a system, including a sender S, a reci- 
pient R, and an interloper B. 

The technique for message authentication ac- 
cording to the invention includes the use of a public 
key cryptosystem. A public key cryptosystem was 
first presented in Diff ie and Hellman, "New Directions 
in Cryptography," I.E.E.E. Transactions on Informa- 
tion Theory, Vol. IT-22, No. 6, pp. 644-54 (Nov. 1976). 

In apublic-key cryptosystem operable by a plur- 
ality of communication nodes, for each node A, there 
is a public encryption key E sub A which is known to 
all of the other nodes. Each public encryption key E 
sub Adescribes a procedure for encrypting messages 
to be sent to the respective node A. For each public 
encryption key, there is a corresponding private de- 
crypting key known only to the respective node, and 
which cannot be deduced, given the public encryption 
key. Therefore, if a message is encoded using the 
public encryption key E sub A then, although any 
other node can receive the encrypted message, only 
the node A can decrypt it Even the sending node can- 
not decrypt the message, once it has been encrypted. 

Public-key cryptosystems first proposed in Diff ie 
et al. are based on the diff iculty of computing loga- 
rithms mod q, where q is a prime number of elements 
making up a field. For a quantity representable as a 
b bit number, where q is a prime number slightly less 
than 2 sup b, encryption or decryption using keys as 
described in Diff ie et al. requires exponentiation that 
takes at most 2b multiplications mod q. However/de- 
crypting a ciphertext without the key requires taking 
logarithms with 2(b/2) operations. Thus, cryptanaly- 
sis requires a computational effort which grows expo- 
nentially, relative to legitimate encryption or decryp- 
tion by parties who know the respective keys. 

However, because of the dependence on modulo 
arithmetic, ciphertexts corresponding with ascending 
plaintexts are piecewise ascending. Thus, the con- 
ventional Diffie et al. public key cryptography is 
malleable, and subject to the attacks described 
above. In accordance with the invention, this draw- 
back is overcome through the use of a non-malleable 
cryptosystem. While any non-malleable cryptosys- 



tem may be employed in accordance with the inven- 
tion, a preferred non-malleable cryptosystem is that 
given in Section 4 of Dolev et al., "Non-Malleable 
Cryptography," cited in the Background. This docu- 

5 ment is herein incorporated by reference. 

Diffie et al. discusses the problem of authentica- 
tion, and suggests a one-way authentication system 
in which a sender "deciphers" the message to be sent, 
using the sender's private key. The recipient then 

10 uses the sender's public key to "encrypt" the "de- 
crypted" message to recover the message itself. 
Since only the sender could have used the sender's 
private key, recovering the message using the sen- 
der's public key is proof that the sender sent the mes- 

15 sage. 

Given a suitable non-malleable cryptosystem, 
the method of the invention works as set forth in the 
flowchart of FIG. 2. The steps of FIG. 2 show commu- 
nication traffic between a sender S and a recipient R. 

20 The objective is to authenticate a data message m, 
which is to be sent from S to R. 

In a first step 2, the sender S sends an authori- 
zation request message which indicates that S de- 
sires to authenticate the data message m. The au- 

25 thorization request message may include the data 
message m itself, or may be a command message in 
accordance with a suitable command format or proto- 
col in use with the communication system supporting 
the sender S and the receiver R. In this latter case, it 

30 is assumed that the data message m itself is sent sep- 
arately. In effect, the authorization request message 
is a statement, "I am S, and I wish to authenticate a 
data message M which I am sending to you." 

In step 4, the receiver R responds by sending a 

35 response message, preferably a random string st, en- 
crypted using the sender's public key E sub s . The 
string st is preferably chosen at random, or may be 
based on some predetermined formula. For instance, 
the string st might be related to a date or time stamp. 

40 Finally, in step 6, the sender S sends the recipient R 
an authorization message, from which the recipient R 
is able to establish that the identity of the sender of 
the data message m is, in fact, the sender S. In a pre- 
ferred embodiment of the invention, the authorization 

45 message is in the form Auth(m,st), where Auth is a 
function mutually agreed upon between the sender S 
and the receiver R. Auth is preferably an easily com- 
puted function which takes as arguments a message, 
such as the message m to be authenticated, and a 

so string, such as st Auth produces an output, preferably 
in the form of a short string. It is that output, or short 
string, which is actually sent from the sender S to the 
recipient R. For any two strings st and st\ the prob- 
ability that Auth(m,st) equals Auth(m,sf) should be 

55 low. 

Additionally, it is preferable that, given m, st, and 
the output or short string, the recipient R can easily 
verify that Auth(m,st) equals the output sent from S 
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to R as the authorization message. Thus, when R 
verifies that the authorization message it received 
matches the Auth function of the data message m, 
which R has already received, and st, the string which 
R sent to S, R thereby verifies that the identity of the 
sender of the data message m is in fact S. 

It is preferable, though not essential to the inven- 
tion, that the recipient R's public key be used by the 
sender S to encrypt the authorization request mes- 
sage (assuming that the encrypted data message m 
was sent separately), and the authorization message 
Auth(m,st). 

To foil an attempt by an imposter B to imperson- 
ate the sender S, the public encryption key Eg must 
be non-malleable. Otherwise, this authorization se- 
quence would be subject to attack, for instance from 
the mafia scam. Such a scam would work as shown 
in the flowchart of FIG. 3. 

Assume that So send a data message m to R, and 
that the imposter B wants to send a disinformation 
message m' to R im place of S's message m, and to 
authenticate m' as having come from S. The disinfor- 
mation message m' has some relationship to the data 
message m, i.e., m' = f(m). Because, for the purpose 
of this illustration, the sender S' s public key E 8 . is 
malleable, it is reasonably easy for B to calculate an 
E 8 (st), given E^st *), m, and m\ such that there is a 
relationship between st and st\ 

The mafia scam exchange goes as shown in FIG. 
3. In step 8, the sender S sends an authentication re- 
quest, directed to the recipient R, to authenticate a 
data message m. The request is intercepted by B. In 
step 10, B sends R an authentication request, identi- 
fying itself as S, and requesting authentication of a 
disinformation message m\ which has a given rela- 
tionship torn. 

R responds to B's request, in step 12, by sending 
a string sf, encrypted using S's public key. B cannot 
decrypt the encrypted string. If, in accordance with 
the invention, S's public key is non-malleable (step 
; 13), B's attempt to authenticate m' does not get be- 
yond this point B's attempt is frustrated, and the 
method of the invention has successfully maintained 
communication security (step 14). 
However, if S's public key is malleable, B can manip- 
ulate E sub s (sf) to produce an encrypted message 
E s (st), where Auth(m,st) = g(Auth(m,st)), for some 
easily computable function g. In step 14, B sends 
E a (st) to S. 

S then attempts to complete the authorization by 
sending Auth(m,st) in step 16. B again intercepts this 
message, applies the function g to it to produce 
Auth(m\st'), and, in step 18, sends the latter to R. R 
then believes that S has authenticated the disinfor- 
mation message m\ and B has succeeded in its mafia 
scam. 

However, the success of the mafia scam de- 
pends on the malleability of S's public key E s . If, in ac- 



cordance with the invention, the public key is not 
malleable, B is unable to generate E s (st) from E 8 (sf ), 
and the mafia scam fails. Thus, the invention advan- 
tageously protects this authentication sequence from 
5 attack. 



Claims 

10 1. A non-malleable public-key encryption method 
for authentication of a data message (m) sent 
from a first communication device S to a second 
communication device R, the method comprising 
the steps of: 

15 sending (2) by the first communication de- 

vice S to the second communication device R, an 
authentication request message; 

responding (4) by the second communica- 
tion device R to an authentication request mes- 

20 sage which was apparently sent by the first com- 
munication device S, said first device apparently 
having sent the data message, the step of re- 
sponding including sending a response message 
(st) encrypted with said first device's non-malle- 

25 able public encryption key (Eg); 

decrypting, by said first device S, using its 
non-malleable public encryption key (Es), said 
encrypted response message Eg(st) to obtain the 
response message (st); 

30 generating, by said first device S, an au- 

thentication message (Auth(m.st)) which is a 
function of the data message (m) and the re- 
sponse message (st); 

sending (6), by said first device S, the gen- 

35 erated authentication message (Auth(m,st)); 

verifying, by said second device R, that 
the received authentication message 
(Auth(m,st)) matches the authentication mes- 
sage (Auth(m.st)). 

AO 

2. A method as claimed in claim 1, wherein the re- 
sponse message (st) is a random string. 

3. A method as claimed in any preceding claim 
45 wherein the function (Auth) used in said generat- 
ing step is such that the probability is low that for 
any two different string arguments, the function 
(Auth) produces the same output 

so 4. A non-malleable public-key encryption communi- 
cation system for authentication of a data mes- 
sage (m) sent from a first communication device 
S to a second communication device R, the sys- 
tem comprising: 
55 a first communication device S; and 

a second communication device R; 
the first communication device S compris- 
ing: 
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means for sending (2) to the second 
communication device R, an authentication re- 
quest message; 

means for decrypting, using its 
non-malleable public encryption key (Eg), said 5 
encrypted response message Es(st) to obtain the 
response message (st); 

means for generating, an authenti- 
cation message (Auth(m t st)) which is a function 
of the data message (m) and the response mes- 10 
sage (st); and 

means for sending (6), the generat- 
ed authentication message (Auth(m,st)); 

the second communication device R com- 
prising: 15 

means for responding (4) to an au- 
thentication request message which was appa- 
rently sent by the first communication device S, 
said first device apparently having sent the data 
message, the means for responding including 20 
means for sending a response message (st) en- 
crypted with said first device's non-malleable 
public encryption key (Eg); 

means for verifying, that the re- 
ceived authentication message (Auth(m,st)) 25 
matches the authentication message 
(Auth(m,st)). 

5. A system as claimed in claim 4, wherein the re- 
sponse message (st) is a random string. 30 

6. A system as claimed in any preceding claim 
wherein the function (Auth) used in said means 
for generating is such that the probability is low 

that for any two different string arguments, the 35 
function (Auth) produces the same output. 
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SENDER S SENDS AUTHENTICATION REQUEST 
TO RECIPIENT R FOR DATA MESSAGE m, WHICH 
WAS PREVIOUSLY OR CONCURRENTLY SENT TO R 
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B MANIPULATES Es(st') TO 
PRODUCE Es(st), AND SENDS IT ON 
TO S 
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B PRODUCES Auth(m\st') FROM Auth(m.st) 

AND SENDS IT TO R - B HAS BROKEN 

THE SECURITY BETWEEN S AND R 
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